Safe Harbor Decision is dead

Czech Republic: A landmark decision by the European Court of Justice spells the end for the unrestricted transfer of personal data to the U.S. on the basis of the Safe Harbor program

Within the context of the Safe Harbor regime which was created in 2000 by an EC decision, it was possible to pass on personal data originating in the EU to companies in the U.S. which voluntarily submitted to certain privacy protection principles and were whitelisted on the Safe Harbor List, without having to obtain a license from the Data Protection Office first. However, the European Court of Justice has quashed this decision of the European Commission, ruling on a dispute between Facebook Ireland Ltd. and Edward Snowden, the man who went public with information on the massive global surveillance of phone and e-mail communication by the U.S. intelligence services.

Now that the Safe Harbor regime has been cancelled, the USA have lost their privileged status in the area of cross-border transfers of personal data, and are subject to the same rules as any other non-EU country. Given that the “Safe Harbor” pact provided for the easiest way how to transfer data to the U.S., the above-mentioned ECJ ruling will have far-reaching consequences, not only for large American corporations such as Google or the operators of cloud solutions, but in particular for their European clients. The rub of the problem lies in the fact that the largest providers of data-center services on the global level are in fact U.S. companies. Until a new agreement has been made between the European Commission and the USA, the transfer of personal data will have to take one of the forms described below.

The first option is to include a standard contractual clause in agreements under which the relevant party undertakes to ensure that the data which it passes on to third countries will be adequately protected from unauthorized interference; to this end, the standard contractual clause stipulates the specific obligations of the parties, the scope of their liability, the procedure for the resolution of disputes, etc.

The second option entails passing so-called binding corporate rules – an internal set of rules which only applies within a given corporation (being active in several EU countries). The BCR will usually govern the transfer of information about clients or employees of the company. However, the procedure for adopting such binding corporate rules is quite cumbersome, not least because the wording of the rules must comply with all national data protection rules in all countries in which the company entertains a presence.

In all other cases, the Data Protection Office (Úřad pro ochranu osobních údajů – ÚOOÚ) will have to be asked for a license to transfer personal data, whereas at least one of the statutory grounds for such transfer anticipated by the Data Protection Act must be given, such as a situation in which the data is being transferred with the data subject’s consent, a situation in which the transfer of data is a necessary prerequisite for entering into the relevant contract, or a situation in which pressing public interest calls for the transfer of data.

Source: ECJ judgment in Schrems v. Data Protection Commissioner (C-362/14), and Act No. 101/2000 Coll., on the protection of personal data

Subscribe to our newsletter

By pressing Subscribe you consent to our data processing terms